Introduction

The vast majority of attacks on a Dionaea honeypot are automated. The attacking script doesn’t bother checking the responses of services and just launches its attack when it finds an open port. Cool! We can catch a lot of malware this way. Here is an Nmap -sV scan of a Dionaea Honeypot I set up for a previous article:

If you want to use Dionaea to catch live people attacking your network there is an obvious problem.

In this tutorial I will be walking you through setting up Dionaea Honeypot to avoid detection by Nmap.

How Nmap detects services

When an Nmap scan is initiated with one of the service detection options, Nmap goes through a series of steps to try to identify the service behind an open port. When Nmap receives data from a service that data is compared against a list of entries in /usr/share/nmap/nmap-service-probes. We can see which Dionaea services Nmap can detect using grep:

cat /usr/share/nmap/nmap-service-probes | grep Dionaea

Here’s the output with the matches in bold so they can be seen more easily:

In this version of Nmap there are six possible service responses that could be identified as Dionaea. Looking back at the screenshot earlier in the article we can see that Nmap only identified two of our services as Dionaea honeypot. Not bad but we can do better.

configuring the smb service

First we are going to look at the SMB service. Let’s take a deeper look at the nmap-service-probes entry for this service

in /opt/dionaea/lib/dionaea/python/dionaea/smb/extras.py we can see that the default values for primary_domain and server_name are “WORKGROUP” and “HOMEUSER-3AF6FE”. Let’s look at nmap-service-probes again with the relevant info in bold:

Dionaea is looking for the primary_domain “WORKGROUP” and the server_name “HOMEUSER-” followed by any six characters (except for a line break). Busted. Let’s change it up. The SMB service can be customized via a YAML file. Let’s look at /opt/dionaea/etc/dionaea/services-enabled/smb.yaml

The section we’re going to change is “Additional config”. Uncomment all three lines and change the values to whatever you choose, I’ll be using “Development” and “Development-Server”. When you’re finished the file should look something like the following:

For this one I had to fire up Wireshark. What Nmap is looking for here is a series of bytes that are sent as part of the login process when connecting to an MS-SQL database. Here’s a screenshot of the relevant packet in Wireshark:

The highlighted bytes match the entry in nmap-service-probes. You can confirm this yourself by running Wireshark while doing doing a Nmap service identification scan against port 1433.

nmap -p 1433 -sV ip.of.your.honeypot

Using a Wireshark display filter makes things easier

ip.src == ip.of.your.honeypot && tds

Once your display filter is in place and your Nmap scan is running you should see a single packet with “TDS” in the Protocol column and “Response” in the Info column. Click on the “Tabular Data Stream” in the packet detail pane of Wireshark and you should see the bytes highlighted like in my screenshot above.

Unfortunately, Dionaea doesn’t provide much in the way of customization in the mssql.yaml file so we will dig into some python.

We can find the relevant part of /opt/dionaea/lib/dionaea/python/dionaea/mssql/mssql.py using grep with some options to show line numbers and following lines:

cat mssql.py | grep -n -A 20 "def process"

Here’s the output:

If we change r.VersionToken.TokenType (line 147) to a different value we should be able to evade Nmap. I’m going to change it to “0x01”.

Here is a screenshot of Wireshark showing the new packet. Notice that the 9th highlighted byte has changed from “00” to “01”.:

Let’s see what Nmap has to say about the change:

Looks good! Our honeypot is much stealthier now.

CONCLUSION

Service identification is a cat and mouse game. Any new release of Nmap could have adjustments to the nmap-service-probes file that now identifies a previously unidentified Dionaea service. Anyone who reads chapter 7 of the Nmap book could create their own entries in nmap-service-probes. If keeping your honeypot stealthy is important to you the best thing to do is keep Nmap up to date, scan yourself often, and occasionally change up the values in the YAML configuration files located in /opt/dionaea/etc/dionaea/services-*. If a new version of Nmap identifies your honeypot just follow the basic steps we took here:

grep the nmap-service-probes file to see how Nmap is identifying the service.

Find the YAML configuration file or python script for that service and edit it so that the information identified in step 1 no longer matches what’s in nmap-service-probes. Wireshark can help a lot with this step in figuring out what to change.

That’s it! If you have any issues or questions please leave a comment below or find me on Twitter @TheJBAnderson

In this tutorial I’m going to walk you through installing Modern Honey Network(MHN) and adding sensors, setting up a Dionaea honeypot, setting up the Dionaea SMB service, setting up Dionaea iHandlers, installing the MalwareCollectorSlack NodeJS server for Slack reporting, and configuring Dionaea to upload payloads to a custom location.

Beginners looking to get into malware analysis are often pointed towards Dionaea honeypot for collecting malware in the wild for analysis. Often installation is suggested to be done through the Modern Honey Network application. Unfortunately, the tutorials that exist online are incomplete, outdated, or just plain wrong and the automated Dionaea deployment though MHN installs a broken version of Dionaea. The Github issues of both the Dionaea and MHN projects are littered with people asking for assistance just getting the honeypot catching malware. After several days of troubleshooting I have a honeypot collecting malware and uploading data to MHN, and for fun I set up a little NodeJS server to alert me via Slack. Let’s get started!

Requirements

-A DigitalOcean account – I will be using DigitalOcean throughout the tutorial. You can probably still follow along using other providers, but no guarantees.

PART 1 – Installing Modern Honey Network(MHN)

Head over to DigitalOcean and create a new Ubuntu 14.04 x64 Droplet at the $10/mo level. This is the cheapest level it can work on.

Access your new Droplet. Here’s a link to some stuff you should consider doing before moving forward.

First we need to update curl to version 7.50. Enter the following commands:

Now we install MHN. Make sure you understand that we are installing as root and the associated risks with this. Complete the MHN configuration when prompted and remember the email and password used here, you will log in with them later. Also make note of the IP and port you set up during configuration. It defaults to the web app running on port 80 and HoneyMap running on port 3000:

Log into the MHN interface using the email and password you created during configuration. Along the top of the Dashboard there is a drop-down menu cnamed “Sensors”. Click the dropdown and select “Add Sensor”. Put “dionaea” in all three text fields and hit the “Create” button. You will see a UUID like my screenshot below:

Screenshot of MHN sensor UUID setup

Now we need to set up a user for the HPfeeds. Enter the following commands at the command prompt:

PART 2 – Installing Dionaea Honeypot

Create another Ubuntu 14.04 droplet on DigitalOcean. The $5/mo level is fine. Here’s the link again for stuff you should do before moving forward. Like before we need to update curl. Here’s the commands again:

- name: hpfeeds
config:
server: "IP of your server"
port: 10000
ident: "The UUID we set up when we added a sensor in MHN"
secret: "The SECRET you set up when we added the hpfeeds user"
# dynip_resolve: enable to lookup the sensor ip through a webservice
#dynip_resolve: "http://hpfriends.honeycloud.net/ip"

That should do it. Restart dionaea and you should almost immediately start seeing attacks roll in on MHN. Give it about an hour before you see payloads. Generally I get a few an hour, but sometimes nothing for multiple hours. If you want to test using Metasploit (ms10_061_spoolss) make sure your ISP is not filtering ports somewhere along the wire (apparently Comcast in my area filters 25, 139, and 445 on all traffic by default). I ended up having to install Metasploit on a DigitalOcean droplet to get around the issue.

sudo service dionaea restart

While I’m waiting I like to watch the attacks happen live in my console by tailing dionaea.log:

cd /opt/dionaea/var/dionaea
tail -f dionaea.log

part 3: Set up slack and slack logging

So now we are catching malware in the wild and reporting the attacks and payloads to an MHN Dashboard. Cool. I noticed two problems right away:

I had no way of knowing when malware was collected without checking MHN or using SSH to check the dionaea server manually.

The payloads were not transmitted to the MHN server. Great information about the payload is sent but not the actual malware itself.

To resolve these issues I put together a little NodeJS server to accept files from dionaea and to alert me via Slack in real time that malware has been collected. This final part of the walk-through will show you how to set up MalwareCollectorSlack and configure dionaea to send the actual malware to our server.

First head over to Slack and set up a team. Sign into your team and go to Apps and set up a Bot user. You will be given a token that we will be using later on. You should also set up three channels: logging, general, and json

Now we need to set an environment variable for the token that you got when you set up your Slack team. Instead of using an environmental variable you could just edit line 29 in server.js. I only did this step so I didn’t accidentally push my token to GitHub. You should also rename the Slack bot to your preferred name on line 30 in server.js:

SLACK_TOKEN=token received when Slack team was setup
export SLACK_TOKEN

Go ahead and set the notifications for each Slack channel to “all new messages” so we know when the data starts flowing.

I like to use “forever” to make sure that my script continues running and provide logging. Make sure to run sudo with the -E option if you used an ENV for the Slack token:

If you turned on Slack notifications you should be getting alerts every few seconds from the /json channel. With a little luck within a few minutes you should see a “Malware Collected” message and the MD5 hash of the captured malware in the /general channel.

Part 4: payload uploads

The final two things we need to do are add a script to upload the samples to our server and edit store.py to call our script whenever Dionaea collects malware.

We are going to need to install pip3 and download the Python3 requests library:

sudo apt-get install python3-pip
sudo pip3 install requests

Now we need to create the custom script and place it where Dionaea can find it: